[openstack-dev] [kolla] add service discovery, proxysql, vault, fabio and FQDN endpoints
Florian Engelmann
florian.engelmann at everyware.ch
Wed Oct 10 07:06:50 UTC 2018
Am 10/9/18 um 1:47 PM schrieb Mark Goddard:
>
>
> On Tue, 9 Oct 2018 at 12:03, Florian Engelmann
> <florian.engelmann at everyware.ch <mailto:florian.engelmann at everyware.ch>>
> wrote:
>
> Am 10/9/18 um 11:04 AM schrieb Mark Goddard:
> > Thanks for these suggestions Florian, there are some interesting
> ideas
> > in here. I'm a little concerned about the maintenance overhead of
> adding
> > support for all of these things, and wonder if some of them could be
> > done without explicit support in kolla and kolla-ansible. The kolla
> > projects have been able to move quickly by providing a flexible
> > configuration mechanism that avoids the need to maintain support for
> > every OpenStack feature. Other thoughts inline.
> >
>
> I do understand your apprehensions Mark. For some of the suggested
> changes/additions I agree. But adding those components without
> kolla/kolla-ansible integration feels not right.
>
>
> I'm not entirely against adding some of these things, if enough people
> in the community want them. I'd just like to make sure that if they can
> be done in a sane way without changes, then we do that and document how
> to do it instead.
>
Yes I agree and that is a very important role/job.
>
> >
> > On Mon, 8 Oct 2018 at 11:15, Florian Engelmann
> > <florian.engelmann at everyware.ch
> <mailto:florian.engelmann at everyware.ch>
> <mailto:florian.engelmann at everyware.ch
> <mailto:florian.engelmann at everyware.ch>>>
> > wrote:
> >
> > Hi,
> >
> > I would like to start a discussion about some changes and
> additions I
> > would like to see in in kolla and kolla-ansible.
> >
> > 1. Keepalived is a problem in layer3 spine leaf networks as any
> > floating
> > IP can only exist in one leaf (and VRRP is a problem in
> layer3). I
> > would
> > like to use consul and registrar to get rid of the "internal"
> floating
> > IP and use consuls DNS service discovery to connect all
> services with
> > each other.
> >
> >
> > Without reading up, I'm not sure exactly how this fits together. If
> > kolla-ansible made the API host configurable for each service rather
> > than globally, would that be a step in the right direction?
>
> No that would not help. The problem is HA. Right now there is a
> "central" floating IP (kolla_internal_vip_address) that is used for all
> services to connect to (each other). Keepalived is failing that IP over
> if the "active" host fails. In a layer3 (CLOS/Spine-Leaf) network this
> IP is only available in one leaf/rack. So that rack is a "SPOF".
> Using service discovery fits perfect in a CLOS network and scales much
> better as a HA solution.
>
> Right, but what I'm saying as a thought experiment is, if we gave you
> the required variables in kolla-ansible (e.g. nova_internal_fqdn) to
> make this possible with an externally managed consul service, could that
> work?
Now I get you. I would say all configuration templates need to be
changed to allow, eg.
$ grep http /etc/kolla/cinder-volume/cinder.conf
glance_api_servers = http://10.10.10.5:9292
auth_url = http://internal.somedomain.tld:35357
www_authenticate_uri = http://internal.somedomain.tld:5000
auth_url = http://internal.somedomain.tld:35357
auth_endpoint = http://internal.somedomain.tld:5000
to look like:
glance_api_servers = http://glance.service.somedomain.consul:9292
auth_url = http://keystone.service.somedomain.consul:35357
www_authenticate_uri = http://keystone.service.somedomain.consul:5000
auth_url = http://keystone.service.somedomain.consul:35357
auth_endpoint = http://keystone.service.somedomain.consul:5000
>
> >
> >
> > 2. Using "ports" for external API (endpoint) access is a
> major headache
> > if a firewall is involved. I would like to configure the
> HAProxy (or
> > fabio) for the external access to use "Host:" like, eg. "Host:
> > keystone.somedomain.tld", "Host: nova.somedomain.tld", ...
> with HTTPS.
> > Any customer would just need HTTPS access and not have to
> open all
> > those
> > ports in his firewall. For some enterprise customers it is
> not possible
> > to request FW changes like that.
> >
> > 3. HAProxy is not capable to handle "read/write" split with
> Galera. I
> > would like to introduce ProxySQL to be able to scale Galera.
> >
> >
> > It's now possible to use an external database server with
> kolla-ansible,
> > instead of deploying a mariadb/galera cluster. This could be
> implemented
> > how you like, see
> >
> https://docs.openstack.org/kolla-ansible/latest/reference/external-mariadb-guide.html.
>
> Yes I agree. And this is what we will do in our first production
> deployment. But I would love to see ProxySQL in Kolla as well.
> As a side note: Kolla-ansible does use:
>
> option mysql-check user haproxy post-41
>
> to check Galera, but that check does not fail if the node is out of
> sync
> with the other nodes!
>
> http://galeracluster.com/documentation-webpages/monitoringthecluster.html
>
> That's good to know. Could you raise a bug in kolla-ansible on
> launchpad, and offer advice on how to improve this check if you have any?
>
done: https://bugs.launchpad.net/kolla-ansible/+bug/1796930
>
> >
> > 4. HAProxy is fine but fabio integrates well with consul,
> statsd and
> > could be connected to a vault cluster to manage secure
> certificate
> > access.
> >
> > As above.
> >
> > 5. I would like to add vault as Barbican backend.
> >
> > Does this need explicit support in kolla and kolla-ansible, or
> could it
> > be done through configuration of barbican.conf? Are there additional
> > packages required in the barbican container? If so, see
> >
> https://docs.openstack.org/kolla/latest/admin/image-building.html#package-customisation.
>
> True but the vault (and consul) containers could be deployed and
> managed
> by kolla-ansible.
>
> I'd like to see if anyone else is interested in this. Kolla ansible
> already deploys a large number of services, which is great. As with many
> other projects I'm seeing the resources of core contributors fall off a
> little, and I think we need to consider how to ensure the project is
> maintainable long term. In my view a good way of doing that is to enable
> integration with existing services, rather than deploying them. We need
> to decide where the line is as a community. We have an IRC meeting at
> 3pm UTC if you'd like to bring it up then.
Sorry I didn't manage to attend the IRC meeting. But again, I aggree, it
would be great to extend the (already great) felxibility of
kolla-ansible to be "add" "external" services.
>
> >
> > 6. I would like to add an option to enable tokenless
> authentication for
> > all services with each other to get rid of all the openstack
> service
> > passwords (security issue).
> >
> > Again, could this be done without explicit support?
>
> We did not investigate here. Changes to the apache configuration are
> needed. I guess we will have to change the kolla container itself to do
> so? Is it possible to "inject" files in a container using kolla-ansible?
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe:
> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> <http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5210 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20181010/b820ca5d/attachment.bin>
More information about the OpenStack-dev
mailing list